1 / 34

Network Security

Network Security. Remote Authentication Dial-In User Service (RADIUS). RADIUS systems authenticate users on a client/server network Used for dial-in, wireless, and Internet access The server that hosts RADIUS is referred to as the Network Access Server (NAS)

garren
Télécharger la présentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security

  2. Remote Authentication Dial-In User Service (RADIUS) RADIUS systems authenticate users on a client/server network Used for dial-in, wireless, and Internet access The server that hosts RADIUS is referred to as the Network Access Server (NAS) The NAS stores user names and passwords and records user activity on the network

  3. Rogue Wireless Access Points • Rogue access pointAn unauthorized WAP that is installed on a network system. • can compromise wireless network security • Can be prevented by using a wireless intrusion prevention system (WIPS) or setting up an 802.1x system

  4. Authentication, Authorization, and Accounting (AAA) Standard that is most common model used for network access The dominate client/server security models that support AAA are RADIUS, TACACS+, and Diameter

  5. Diameter Applicable to roaming devices such as cell phones Allows for attributes to be added to basic Diameter protocol to meet AAA security requirements Any device acting as a relay between AAA authenticator and client is referred to as AAA proxy

  6. TACACS+ Represents Terminal Access Controller Access-Control System plus Should not to be confused with TACACS; they are completely different systems Alternative to RADIUS

  7. RADIUS and TACACS+ Comparison

  8. Password Authentication Protocol (PAP) Basic password authentication technique used for HTTP and remote dial-up access No longer used because user name and password are not encrypted

  9. Challenge Handshake Authentication Protocol (CHAP) CHAP was designed to be used with PPP Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is an enhanced version of CHAP and can only be used on Microsoft operating systems

  10. How CHAP Works Client connects to a remote system using PPP Server sends a challenge to the client Server (authentication agent) sends a key to the client so it can encrypt its user name and password Client responds with a key that represents its user name and password Server accepts or rejects client user name and password based on a matching encryption key

  11. Kerberos Client and server authenticated to each other Encryption key (encodes data) and decryption key (decrypts data) used for privacy

  12. Extensible Authentication Protocol (EAP) Used for network access and authentication in a client/server environment when IP is not available Sends clear text messages Originally developed to be used with PPP Also used for 802.1x wireless connections and for access and authentication to network switches

  13. Protected Extensible Authentication Protocol (PEAP) Extension of EAP Works by first establishing a secure connection using Transport Layer Security (TLS) TLS provides encryption for the EAP connection and ensures data integrity

  14. Lightweight Extensible Authentication Protocol (LEAP) An improved EAP standard developed by Cisco Systems for its line of Wireless Access Points (WAPs) LEAP periodically re-authenticates the wireless connection This ensures client is still the original authenticated client and connection has not been hijacked

  15. Security Implementations • Various measures include: • Installing latest software updates and patches • Setting up an account for daily administrative tasks • Changing the default administrator’s name • Educating system users in security practices

  16. Software Patches • Should be applied: • Immediately after installing new software • As they become available • Contain fixes that close security holes and fix software bugs • Periodically, Microsoft releases a service pack for its software and operating systems

  17. Administrator Account User provides password for default administrator account Default administrator account name should be changed to better secure network Ability to delete or rename the administrator account varies according to operating system

  18. User Account Passwords • To make passwords more secure administrators should: • Set defaults for password histories, age, and length • Educate users about poor and secure passwords

  19. Poor Passwords • Poor passwords contain: • Words that are found in a dictionary • Names familiar to the password owner • Keyboard patterns • Social security numbers • Secure passwords are less vulnerable to hashing techniques

  20. Windows Server 2008 Password Policies

  21. Firewall • Can consist of hardware, software, or a combination • Servers, routers, and PCs may be used • Designed to filter inbound and outbound flow of network packets based on factors such as • IP address • Port number • Software application • Packet contents • Protocol

  22. Firewall Example

  23. Windows Firewall with Advanced Security

  24. Packet Filter • Stateless packet inspection • Does not take into account packet sequence or missing packets • Aligns with layer 3 of the OSI model • Stateful packet inspection • Applies a filter based on packet sequence • Detects missing packets • Aligns with layer 3 and 4 of the OSI model

  25. Application Gateway

  26. Content Filter Configured to block specific Web sites or packet contents that contain specific terms Administrator can control the list of terms Can also incorporate protection from malware

  27. Circuit-Level Gateway After connection is established, packet can flow freely between the two hosts Packet sequence is encoded, making it difficult for intruders to access stream of data

  28. Firewall Signature Identification Requires constant updates of new signatures No signature immediately available for new malware

  29. Demilitarized Zone (DMZ) • Can be created with a router or a server with three network adapters installed • When configured with a server • One network adapter connects to the Internet • A second network adapter connects to the DMZ • The third network adapter connects to the private section of the network

  30. Proxy Server • Can be configured to allow packets to flow into and out of the network if they meet certain conditions • Specific IP addresses • Certain protocols • Server names or URLs • May cache frequently visited Web sites, making it faster to access those Web sites

  31. Physical Security • Physically securing file servers, hubs, routers, workstations, or any other point of access • Locating network devices in secure rooms • Biometrics—Identifying unique features such as fingerprints, speech, eye color, and facial features • Smart card—Access to computer systems is granted after correct PIN is entered

  32. Security Tools • Identify network security weaknesses • Probe network, searching for vulnerabilities • Some security tools used are • GFI LANguard • Netstat utility • Audit tools • Self-hack tools • Protocol analyzer • Packet sniffer

  33. GFI LANguard

  34. In class lab 1. Apply for a trial version of a digital certificate from a CA such as Verisign. After obtaining the digital certificate try it out with a classmate. 2. Labsim 8.34 3. Roberts Lab 74 Next Class November 18th, 2013 Labsim Homework 8.4.1-8.4.3

More Related